Log of all PIDs starting, with program and timestamp possible?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Something is constantly causing mischief on my system, but I have not been able to identify which program it is. It happens a few times every hour. I've found the PIDs in a log, but the program is very short lived so by the time I can ps -fp pid, it's gone.
Can I set up logging somehow to see what all PIDs were afterwards? Which program say pid 12345 was with a timestamp? I've tried running find /proc/ -maxdepth 2 -name cmdline -mmin -3 -not -type d|while read l;do echo -n $l;cat $l;done and variants of that frequently, but without success. I'm running Ubuntu 16.04.
linux ubuntu
asked Feb 9 at 17:38
Kjetil S.Kjetil S.
1713
add a comment |
Something is constantly causing mischief on my system, but I have not been able to identify which program it is. It happens a few times every hour. I've found the PIDs in a log, but the program is very short lived so by the time I can ps -fp pid, it's gone.
Can I set up logging somehow to see what all PIDs were afterwards? Which program say pid 12345 was with a timestamp? I've tried running find /proc/ -maxdepth 2 -name cmdline -mmin -3 -not -type d|while read l;do echo -n $l;cat $l;done and variants of that frequently, but without success. I'm running Ubuntu 16.04.
linux ubuntu
asked Feb 9 at 17:38
Kjetil S.Kjetil S.
1713
add a comment |
Something is constantly causing mischief on my system, but I have not been able to identify which program it is. It happens a few times every hour. I've found the PIDs in a log, but the program is very short lived so by the time I can ps -fp pid, it's gone.
Can I set up logging somehow to see what all PIDs were afterwards? Which program say pid 12345 was with a timestamp? I've tried running find /proc/ -maxdepth 2 -name cmdline -mmin -3 -not -type d|while read l;do echo -n $l;cat $l;done and variants of that frequently, but without success. I'm running Ubuntu 16.04.
linux ubuntu
asked Feb 9 at 17:38
Kjetil S.Kjetil S.
1713
Something is constantly causing mischief on my system, but I have not been able to identify which program it is. It happens a few times every hour. I've found the PIDs in a log, but the program is very short lived so by the time I can ps -fp pid, it's gone.
Can I set up logging somehow to see what all PIDs were afterwards? Which program say pid 12345 was with a timestamp? I've tried running find /proc/ -maxdepth 2 -name cmdline -mmin -3 -not -type d|while read l;do echo -n $l;cat $l;done and variants of that frequently, but without success. I'm running Ubuntu 16.04.
linux ubuntu
linux ubuntu
asked Feb 9 at 17:38
Kjetil S.Kjetil S.
1713
asked Feb 9 at 17:38
Kjetil S.Kjetil S.
1713
asked Feb 9 at 17:38
Kjetil S.Kjetil S.
1713
asked Feb 9 at 17:38
Kjetil S.Kjetil S.
1713
asked Feb 9 at 17:38
Kjetil S.Kjetil S.
1713
1713
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
I used to administer a public shell host where users ran all sorts of processes that occasionally went rogue. We had root cron jobs that looked like this:
* * * * * (date; ps auxwwww) >> /var/log/ps.log
* * * * * (date; lsof -n) >> /var/log/lsof.log
We also installed rotation for the two log files so they wouldn't overflow.
When we observed problems with the system, we would review the ps log to catch the name of the rogue process and its arguments, and the lsof logs to find the process's executable image and any interesting files it had open.
However, if the rogue process you're looking for runs for a few seconds or less, then it's not likely to get caught by the above scripts which only run once a minute. You can write your own monitoring script that runs the above commands at a faster rate, say once every second.
If that's still not enough to catch it, you'll need something that vacuums up data from every process in the system. An Ubuntu 16.04 machine should be able to run relatively recent performance tools like bpf:
http://www.brendangregg.com/blog/2016-06-14/ubuntu-xenial-bcc-bpf.html
If that's not an option, you could try to use strace on the rogue process's parent process, assuming you knew what it was. If it's something being run out of cron or a user logging via ssh, a carefully written strace command that only captures process events and ignores everything else might work - but be very careful as it could be disruptive, especially if you trace too many things at once.
Finally, you don't specify what "mischief" is happening on your system - there are ways to trigger commands based on system events (update of a file, appearance of a packet on the network interface, CPU getting too high) that might work for you depending on your symptoms.
answered Feb 9 at 20:11
Velo TravelerVelo Traveler
1294
Thx for commenting, but once a minute is way too infrequent. The process takes less than 0.1 sec to finish. I found the very guilty program (which used a wrong APIkey and got me suspended from that service for an hour at a time). But to learn more about Linux I would still be interested to know if there is a way to log every new PID that is started with program path and timestamp.
– Kjetil S.
Feb 11 at 16:05
You can get almost what you want with Linux process accounting - see tecmint.com/… It captures the user and program name, but not the PID.
– Velo Traveler
Mar 4 at 2:25
add a comment |
You can try to make a cron task that extract new process and log it to a file.
For example a command executing every minutes doing a ps wich select only process younger than the last cron execution and log it in a file. With chance you will catch it.
answered Feb 9 at 17:45
redhenessredheness
367
I think that is a variant of thefindcommand I described. I'll guess I'll just let it run for a longer period and eventually I'll get lucky.
– Kjetil S.
Feb 9 at 17:53
The point is to try the command many time to cath it one time, one or orher command is not important
– redheness
Feb 9 at 18:03
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403926%2flog-of-all-pids-starting-with-program-and-timestamp-possible%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I used to administer a public shell host where users ran all sorts of processes that occasionally went rogue. We had root cron jobs that looked like this:
* * * * * (date; ps auxwwww) >> /var/log/ps.log
* * * * * (date; lsof -n) >> /var/log/lsof.log
We also installed rotation for the two log files so they wouldn't overflow.
When we observed problems with the system, we would review the ps log to catch the name of the rogue process and its arguments, and the lsof logs to find the process's executable image and any interesting files it had open.
However, if the rogue process you're looking for runs for a few seconds or less, then it's not likely to get caught by the above scripts which only run once a minute. You can write your own monitoring script that runs the above commands at a faster rate, say once every second.
If that's still not enough to catch it, you'll need something that vacuums up data from every process in the system. An Ubuntu 16.04 machine should be able to run relatively recent performance tools like bpf:
http://www.brendangregg.com/blog/2016-06-14/ubuntu-xenial-bcc-bpf.html
If that's not an option, you could try to use strace on the rogue process's parent process, assuming you knew what it was. If it's something being run out of cron or a user logging via ssh, a carefully written strace command that only captures process events and ignores everything else might work - but be very careful as it could be disruptive, especially if you trace too many things at once.
Finally, you don't specify what "mischief" is happening on your system - there are ways to trigger commands based on system events (update of a file, appearance of a packet on the network interface, CPU getting too high) that might work for you depending on your symptoms.
answered Feb 9 at 20:11
Velo TravelerVelo Traveler
1294
Thx for commenting, but once a minute is way too infrequent. The process takes less than 0.1 sec to finish. I found the very guilty program (which used a wrong APIkey and got me suspended from that service for an hour at a time). But to learn more about Linux I would still be interested to know if there is a way to log every new PID that is started with program path and timestamp.
– Kjetil S.
Feb 11 at 16:05
You can get almost what you want with Linux process accounting - see tecmint.com/… It captures the user and program name, but not the PID.
– Velo Traveler
Mar 4 at 2:25
add a comment |
I used to administer a public shell host where users ran all sorts of processes that occasionally went rogue. We had root cron jobs that looked like this:
* * * * * (date; ps auxwwww) >> /var/log/ps.log
* * * * * (date; lsof -n) >> /var/log/lsof.log
We also installed rotation for the two log files so they wouldn't overflow.
When we observed problems with the system, we would review the ps log to catch the name of the rogue process and its arguments, and the lsof logs to find the process's executable image and any interesting files it had open.
However, if the rogue process you're looking for runs for a few seconds or less, then it's not likely to get caught by the above scripts which only run once a minute. You can write your own monitoring script that runs the above commands at a faster rate, say once every second.
If that's still not enough to catch it, you'll need something that vacuums up data from every process in the system. An Ubuntu 16.04 machine should be able to run relatively recent performance tools like bpf:
http://www.brendangregg.com/blog/2016-06-14/ubuntu-xenial-bcc-bpf.html
If that's not an option, you could try to use strace on the rogue process's parent process, assuming you knew what it was. If it's something being run out of cron or a user logging via ssh, a carefully written strace command that only captures process events and ignores everything else might work - but be very careful as it could be disruptive, especially if you trace too many things at once.
Finally, you don't specify what "mischief" is happening on your system - there are ways to trigger commands based on system events (update of a file, appearance of a packet on the network interface, CPU getting too high) that might work for you depending on your symptoms.
answered Feb 9 at 20:11
Velo TravelerVelo Traveler
1294
Thx for commenting, but once a minute is way too infrequent. The process takes less than 0.1 sec to finish. I found the very guilty program (which used a wrong APIkey and got me suspended from that service for an hour at a time). But to learn more about Linux I would still be interested to know if there is a way to log every new PID that is started with program path and timestamp.
– Kjetil S.
Feb 11 at 16:05
You can get almost what you want with Linux process accounting - see tecmint.com/… It captures the user and program name, but not the PID.
– Velo Traveler
Mar 4 at 2:25
add a comment |
I used to administer a public shell host where users ran all sorts of processes that occasionally went rogue. We had root cron jobs that looked like this:
* * * * * (date; ps auxwwww) >> /var/log/ps.log
* * * * * (date; lsof -n) >> /var/log/lsof.log
We also installed rotation for the two log files so they wouldn't overflow.
When we observed problems with the system, we would review the ps log to catch the name of the rogue process and its arguments, and the lsof logs to find the process's executable image and any interesting files it had open.
However, if the rogue process you're looking for runs for a few seconds or less, then it's not likely to get caught by the above scripts which only run once a minute. You can write your own monitoring script that runs the above commands at a faster rate, say once every second.
If that's still not enough to catch it, you'll need something that vacuums up data from every process in the system. An Ubuntu 16.04 machine should be able to run relatively recent performance tools like bpf:
http://www.brendangregg.com/blog/2016-06-14/ubuntu-xenial-bcc-bpf.html
If that's not an option, you could try to use strace on the rogue process's parent process, assuming you knew what it was. If it's something being run out of cron or a user logging via ssh, a carefully written strace command that only captures process events and ignores everything else might work - but be very careful as it could be disruptive, especially if you trace too many things at once.
Finally, you don't specify what "mischief" is happening on your system - there are ways to trigger commands based on system events (update of a file, appearance of a packet on the network interface, CPU getting too high) that might work for you depending on your symptoms.
answered Feb 9 at 20:11
Velo TravelerVelo Traveler
1294
I used to administer a public shell host where users ran all sorts of processes that occasionally went rogue. We had root cron jobs that looked like this:
* * * * * (date; ps auxwwww) >> /var/log/ps.log
* * * * * (date; lsof -n) >> /var/log/lsof.log
We also installed rotation for the two log files so they wouldn't overflow.
When we observed problems with the system, we would review the ps log to catch the name of the rogue process and its arguments, and the lsof logs to find the process's executable image and any interesting files it had open.
However, if the rogue process you're looking for runs for a few seconds or less, then it's not likely to get caught by the above scripts which only run once a minute. You can write your own monitoring script that runs the above commands at a faster rate, say once every second.
If that's still not enough to catch it, you'll need something that vacuums up data from every process in the system. An Ubuntu 16.04 machine should be able to run relatively recent performance tools like bpf:
http://www.brendangregg.com/blog/2016-06-14/ubuntu-xenial-bcc-bpf.html
If that's not an option, you could try to use strace on the rogue process's parent process, assuming you knew what it was. If it's something being run out of cron or a user logging via ssh, a carefully written strace command that only captures process events and ignores everything else might work - but be very careful as it could be disruptive, especially if you trace too many things at once.
Finally, you don't specify what "mischief" is happening on your system - there are ways to trigger commands based on system events (update of a file, appearance of a packet on the network interface, CPU getting too high) that might work for you depending on your symptoms.
answered Feb 9 at 20:11
Velo TravelerVelo Traveler
1294
answered Feb 9 at 20:11
Velo TravelerVelo Traveler
1294
answered Feb 9 at 20:11
Velo TravelerVelo Traveler
1294
answered Feb 9 at 20:11
Velo TravelerVelo Traveler
1294
1294
Thx for commenting, but once a minute is way too infrequent. The process takes less than 0.1 sec to finish. I found the very guilty program (which used a wrong APIkey and got me suspended from that service for an hour at a time). But to learn more about Linux I would still be interested to know if there is a way to log every new PID that is started with program path and timestamp.
– Kjetil S.
Feb 11 at 16:05
You can get almost what you want with Linux process accounting - see tecmint.com/… It captures the user and program name, but not the PID.
– Velo Traveler
Mar 4 at 2:25
add a comment |
Thx for commenting, but once a minute is way too infrequent. The process takes less than 0.1 sec to finish. I found the very guilty program (which used a wrong APIkey and got me suspended from that service for an hour at a time). But to learn more about Linux I would still be interested to know if there is a way to log every new PID that is started with program path and timestamp.
– Kjetil S.
Feb 11 at 16:05
You can get almost what you want with Linux process accounting - see tecmint.com/… It captures the user and program name, but not the PID.
– Velo Traveler
Mar 4 at 2:25
Thx for commenting, but once a minute is way too infrequent. The process takes less than 0.1 sec to finish. I found the very guilty program (which used a wrong APIkey and got me suspended from that service for an hour at a time). But to learn more about Linux I would still be interested to know if there is a way to log every new PID that is started with program path and timestamp.
– Kjetil S.
Feb 11 at 16:05
Thx for commenting, but once a minute is way too infrequent. The process takes less than 0.1 sec to finish. I found the very guilty program (which used a wrong APIkey and got me suspended from that service for an hour at a time). But to learn more about Linux I would still be interested to know if there is a way to log every new PID that is started with program path and timestamp.
– Kjetil S.
Feb 11 at 16:05
You can get almost what you want with Linux process accounting - see tecmint.com/… It captures the user and program name, but not the PID.
– Velo Traveler
Mar 4 at 2:25
You can get almost what you want with Linux process accounting - see tecmint.com/… It captures the user and program name, but not the PID.
– Velo Traveler
Mar 4 at 2:25
add a comment |
You can try to make a cron task that extract new process and log it to a file.
For example a command executing every minutes doing a ps wich select only process younger than the last cron execution and log it in a file. With chance you will catch it.
answered Feb 9 at 17:45
redhenessredheness
367
I think that is a variant of thefindcommand I described. I'll guess I'll just let it run for a longer period and eventually I'll get lucky.
– Kjetil S.
Feb 9 at 17:53
The point is to try the command many time to cath it one time, one or orher command is not important
– redheness
Feb 9 at 18:03
add a comment |
You can try to make a cron task that extract new process and log it to a file.
For example a command executing every minutes doing a ps wich select only process younger than the last cron execution and log it in a file. With chance you will catch it.
answered Feb 9 at 17:45
redhenessredheness
367
I think that is a variant of thefindcommand I described. I'll guess I'll just let it run for a longer period and eventually I'll get lucky.
– Kjetil S.
Feb 9 at 17:53
The point is to try the command many time to cath it one time, one or orher command is not important
– redheness
Feb 9 at 18:03
add a comment |
You can try to make a cron task that extract new process and log it to a file.
For example a command executing every minutes doing a ps wich select only process younger than the last cron execution and log it in a file. With chance you will catch it.
answered Feb 9 at 17:45
redhenessredheness
367
You can try to make a cron task that extract new process and log it to a file.
For example a command executing every minutes doing a ps wich select only process younger than the last cron execution and log it in a file. With chance you will catch it.
answered Feb 9 at 17:45
redhenessredheness
367
answered Feb 9 at 17:45
redhenessredheness
367
answered Feb 9 at 17:45
redhenessredheness
367
answered Feb 9 at 17:45
redhenessredheness
367
367
I think that is a variant of thefindcommand I described. I'll guess I'll just let it run for a longer period and eventually I'll get lucky.
– Kjetil S.
Feb 9 at 17:53
The point is to try the command many time to cath it one time, one or orher command is not important
– redheness
Feb 9 at 18:03
add a comment |
I think that is a variant of thefindcommand I described. I'll guess I'll just let it run for a longer period and eventually I'll get lucky.
– Kjetil S.
Feb 9 at 17:53
The point is to try the command many time to cath it one time, one or orher command is not important
– redheness
Feb 9 at 18:03
I think that is a variant of the
find command I described. I'll guess I'll just let it run for a longer period and eventually I'll get lucky.– Kjetil S.
Feb 9 at 17:53
I think that is a variant of the
find command I described. I'll guess I'll just let it run for a longer period and eventually I'll get lucky.– Kjetil S.
Feb 9 at 17:53
The point is to try the command many time to cath it one time, one or orher command is not important
– redheness
Feb 9 at 18:03
The point is to try the command many time to cath it one time, one or orher command is not important
– redheness
Feb 9 at 18:03
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1403926%2flog-of-all-pids-starting-with-program-and-timestamp-possible%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
